Date: Sun, 13 Jul 2014 16:26:15 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Peter Toth <peter.toth198@gmail.com> Cc: freebsd-jail@freebsd.org Subject: Re: securelevel in VNET jails using ipfw(8) Message-ID: <20140713161302.M50382@sola.nimnet.asn.au> In-Reply-To: <CAEUAJxt8qMpvcLCSjSHUU-jMAHVRQvzjh1C%2B%2BtF5tgB_0LYeHw@mail.gmail.com> References: <20140713014641.J50382@sola.nimnet.asn.au> <CAEUAJxt8qMpvcLCSjSHUU-jMAHVRQvzjh1C%2B%2BtF5tgB_0LYeHw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 13 Jul 2014 07:42:42 +1200, Peter Toth wrote: > Hi Ian, > > This is for the jail's securelevel option. If you set it to the highest > number 3 it will fail to load IPFW rules in a jail during startup. > > Snip from "man securelevel": > Network secure mode - same as highly secure mode, plus IP packet > filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be > changed and dummynet(4) or pf(4) configuration cannot be adjusted. > > Cheers, > Peter I understood why 3 wouldn't work. What I hadn't realised was that you were defaulting iocage jails to securelevel 3, which just shows that I hadn't read the manual :) ezjail has tests for securelevel > 0 re installing or updating, but I assumed that to refer to the host's securelevel. Thanks, Ian > On Sun, Jul 13, 2014 at 4:08 AM, Ian Smith <smithi@nimnet.asn.au> wrote: > > > Hi Peter, > > > > from your FAQ at http://iocage.readthedocs.org/en/latest/faq.html > > > > "If you plan on using IPFW inside a jail make sure securelevel is set to 2" > > > > Unless this is also a FAQ you can point me to, can you explain why this > > is needed? Reading security(7) leaves me unclear on how securelevels > > apply in a jail, or what it may be about ipfw(8) particularly that could > > compromise jail (or host?) security, that other services could not? > > > > cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140713161302.M50382>